Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
4
Replies

CISCO ASA 5510 VPN L2L with remote CISCO Router (HSRP LAN)

ticketone
Level 1
Level 1

‎10-12-2012 03:32 AM

Hi

I'll have a problem to configure VPN Ipsec l2l between my CISCO ASA 5510 with HA and a remote lan configured with 2 cisco router with HSRP on lan.

I'll configure a static crypto map with the definition of the two peer (master and backup).

Sometimes happen that the vpn is instaured with the backup router. The phase2 is up but no traffic pass between the two net

Labels:
0 Helpful
4 Replies 4

Javier Portuguez
Level 9
Level 9

‎10-20-2012 11:44 PM

Hi,

Why do you add two peers? On the ASA you only need one, the VIP.

As you know, in a specific HSRP group there is one VIP, this is going to be considered the VPN peer.

Please let me know.

Portu.

Please rate any helpful posts

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-21-2012 12:40 AM

Hello,

As I understood you have an active/standby failover cluster on the ASA side and then a HSRP cloud for the local area network on the router's side. But for the WAN side you are using 2 different broadcast domain. That is why you have 2 crypto-map peers and 2 tunnel-groups on your asa, Correct?

Now, can you check if you have the same crypto ACL for both peers??? If possible post the configuration from the active ASA and the 2 routers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ticketone
Level 1
Level 1
In response to Julio Carvajal

‎10-22-2012 11:34 PM

Hi how Julio said

I have the HSRP only on the router on the LAN side.

My ASA configuration is the following

access-list aclVpn extended permit ip 172.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0

access-list nonat extended permit ip 172.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0

crypto map cryptosede 1 match address aclVpn

crypto map cryptosede 1 set peer peerHDSL peerADSL

crypto map cryptosede 1 set transform-set fimuset

crypto map cryptosede 1 set security-association lifetime seconds 28800

tunnel-group peerHDSL  type ipsec-l2l

tunnel-group peerHDSL 1 ipsec-attributes

pre-shared-key *

tunnel-group peerADSL type ipsec-l2l

tunnel-group peerADSL ipsec-attributes

pre-shared-key *

Do you think that I need to create two separate ACL and crypto map?

Sometimes happen that the vpn comes up on both router and traffic are split (trasmission packet are on one peer and received packet on the otherone)

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ticketone

‎10-23-2012 09:18 AM

Hello,

No, on the ASA side you are fine.

Now on the router side is where you need 2 as you have 2 outside WAN interfaces.

Are you using 2 broadcast domain on the router side?

Remember to rate all of the helpful posts ( if you need to know how to rate the posts let me know )

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents